Kevin Ian Schmidt

Overview of the PEACE Method: investigative Interviews

The PEACE Method of investigative interviews is best suited for detailed employee investigations, and you need a strict understanding of the processes involved, so you can execute it properly. I am writing to provide you with a detailed overview of the PEACE Method, so you can decide if you are interested in trying it for your company. If you want to learn more, contact me and we can set up a consultation.


  1. The role of investigative interviewing

eye metricsThe gathering of information from a well-prepared victim or witness interview will contribute significantly to any investigation. An effective interview of a suspect will commit them to an account of events that may include an admission or may provide information leading to further witnesses of benefit to an investigation. Conversely, failure to professionally undertake interviews can have adverse consequences in terms of failure to adhere to legislation, loss of critical material, lack of credibility and loss of confidence. For this reason our Investigators adopt the PEACE framework detailed below.

  1. Principles of investigative interviewing
  2. The aim of investigative interviewing is to obtain accurate and reliable accounts from
    victims, witnesses or suspects about matters under investigation.
    ii. Investigators must act fairly when questioning victims, witnesses or suspects.
    Vulnerable people must be treated with particular consideration at all times.
    iii. Investigative interviewing should be approached with an investigative mindset.
    Accounts obtained from the person who is being interviewed should always be tested
    against what the interviewer already knows or what can reasonably be established.
    iv. When conducting an interview, investigators are free to ask a wide range of questions
    in order to obtain material which may assist an investigation.
    v. Investigators should recognize the positive impact of fairly and considerably conducted interview
    vi. Investigators are not bound to accept the first answer given. Questioning is not unfair
    merely because it is persistent.
  3. The PEACE Interview Framework

There are five phases to the PEACE framework:

Planning and Preparation
This includes what to consider when planning for an interview
Engage and Explain
This describes how to cope with the special features of getting an interview started and establishing the ground rules
This deals with the central issue of obtaining the interviewee’s account, clarifying this and, where necessary, challenging it
This describes the considerations before closing an interview
This consists of asking questions about what was achieved during the interview and how it fits into the whole investigation. Evaluation also includes the development of an interviewer’s skill level, through assessment (self, peer and manager) and feedback

P – Planning and Preparation

Planning involves the thought processes in getting ready to interview; and Preparation involves getting the location, the environment and the administration ready. The planning process involves gathering information so as to allow the interviewer to remain in control of the interview, to ensure that it goes in the right direction and that sufficient time is available . The maxim – “Proper preparation prevents poor performance” or other colloquial versions are very relevant. In addition, the interviewer should understand the purpose of the interview, the previous background circumstances, and have a profile of the interviewee. Not every interview is well planned but the more significant the issue, the more likely time nay be invested in preparation. Preparation may involve simply defining the purpose of the interview but it can also involve the set up of the interview space. An assessment of available prior knowledge might also be carried out in advance in order to understand what information is required. Understanding what is required may go some way towards understanding how it can be obtained. The mechanics of the interview space may involve seating, logistics and venue, however they will also involve making any exhibits, if relevant, available for examination during questioning, Good interviewers are investigative whereas poor investigators are merely interviewers. Unless preparation takes place an interviewer may overlook important evidence or miss inconsistencies in the interview information. Unnecessary breaks may then be taken in order to ratify forthcoming information

E – Engage and Explain

The opening phase of an interview can be crucial to the interviewer’s success. If the interviewer can engage the interviewee for a few minutes, this can then “warm up” the interviewee and assist that person to engage with the interviewer in a relaxed relationship which may then be continued throughout the interview. Engaging the interviewee is sometimes described as the Rapport stage of the interview. Courtesy, politeness, and understanding cost nothing to the interviewer but can make all the difference between his/her success and failure as an interviewer. Successful interviewers may take time to find out what motivates the interviewees. Once these drivers are understood then it may be possible to take steps to use them. In addition, the formalities of the interview may need explanation. The tape recording, and other procedures, once understood, can help the interviewee to empathize with the interviewer. If this happens then the interviewer will have much greater success. The format of the interview may then be explained – in order to demystify the process and to give the interviewee the impression that he is not going to be tricked. This sense of security may later be challenged by an interviewer who wishes to ask supplementary questions, or to clarify an earlier account

The interviewee may be asked to comment on matters which have not already been described in the interview or to repeat an earlier explanation in their own words. The interviewer is likely to use the interviewee’s words and repeat them back to him where he or she is checking for a correct interpretation Frequently interviewers will take a great deal of time and put themselves out in order to show consideration for the interviewee. Frequently the interviewee will be asked if he wants a drink or to use the toilet or how he or she wants to be addressed in the interview. Successful interviewers often ask whether there are any time restraints on the interviewee as these concerns may be used to increase the interviewee’s tension later on

The Interviewer will set the scene by saying that the interview is very important and that everything the interviewee says is important. As a result they should not leave anything out, even if they believe it is of no relevance. The interviewee may even be given the impression that they will have to work hard because they have all the information. This creates the impression that there is something that the interviewee needs to say to the interviewer.

At any stage of the interview, in order to ensure fairness, the interviewee may be encouraged to ask a question of the interviewer if there is something which they do not understand, if there is something they do not know or if they do not understand the interviewer

It is unlikely that an interviewee will be encouraged to ask a question for clarification where there is more than one possible meaning for a question, or ask the interviewer to explain something which was inappropriate or leading or to say that they do not feel that it is appropriate for them to answer a question, or refuse to speculate or give their opinion as to hypothetical circumstances

Once this engagement stage has passed, the witness will be asked to give his account. The interviewer may then ask questions to clarify the account or to interrupt where additional information is required

The interviewer may also use the engagement stage as training for later in the interview. The interviewer will be establishing their control and getting the interviewee ready for the next stage of the interview. The interviewee will be encouraged to answer simpler questions (with yes or no answers) and the interviewer will be assessing the interviewee’s language and communication

A – Account

At this stage an interviewer obtains the interviewee’s full account of events. The three main steps are:

  • obtaining the interviewee’s account of events
  • Expanding and clarifying that account
  • Challenging the interviewee’s account with information from other interviewees (if helpful)

Good questioning and listening skills are required to produce an accurate and reliable account. During the Account process an interviewee may change from being cooperative to un-cooperative so it is important for the interviewer to be fully alert during the interview. The interviewer should be able to detect changes in the interviewee’s language and behavior. For cooperative interviewees such as victims and witnesses, the interviewer may use additional techniques of free recall to begin with and perhaps move on to cognitive interviewing for more advanced interviews. For uncooperative interviewees the interviewer will normally rely on conversation management as a technique. Interviewers are recommended to ask all their relevant questions – even in the face of a ‘No comment’ response. This is so as not to leave any gaps that the interviewee (or their organization) might later seek to fill in as part of a defense. After allowing the interviewee to begin to give their account of the facts, the interviewee may use questioning techniques such as summarizing, empathizing, repeating questions, leading questions, accusing questions, varying the questions to ask about the same circumstances, varying the interviewee’s previous responses to suggest that they have already said something or encouraging different ways or repeated attempts to recall the same or related facts

The interviewer may need to clarify or challenge the interviewee’s account. This could be because the interviewer is unclear about something the interviewee has said, or because the information is inconsistent with other known information. This “Challenge Phase” of the Account may include challenges to inconsistencies in the Account or it may also include pre-planned challenges. Information may be held back in order to test what the person might say in the absence of certain key facts.


C – Closure

The Closure stage should ensure there is an understanding on the part of the interviewee as to what has happened during the interview and ensure that the interviewee is certain that the information they have given is accurate in all material respects or that any grey areas have been sufficiently highlighted. The interviewer should confirm that all aspects of the Account have been covered, allowing the interviewee to give any additional information which they think may be relevant and are willing to provide and allow them to be able to give further information in future. It is important to explain what will happen in the next phase of the interview process

A positive close to the interview may mean an interviewee is able to give any new and relevant information in the future, either through recall or as new information comes to light. The closure may also assist in facilitating future interviews with other interviewees.

E – Evaluation

This stage concludes the PEACE interview but not necessarily the interviewing process. The interviewer will, in this section of the interview, often suggest a short break for them to re-review their notes to see if the aims and objectives for the interview have been achieved. In addition, the interviewer will also review the investigation in the light of information obtained during the interview and may reflect upon how well he or she conducted the interview


When conducting an investigative interview, you also need to be aware of the non-verbal indicators.

Understanding the PEACE Method is an important part of an investigative interview, but know the Factors to consider in an investigative interview is equally important in being successful when using the PEACE Method.


I have gone ahead and made a simple flyer for you, so you can share the PEACE method on your blog, to help your readers.

Simple Solutions to Reduce Workplace Accidents

workplace accidentsIn the office, equipment cables and wires can become a trip-and-fall hazard – and an expensive workers’ compensation case. Poised and ready to trip all who pass, office cables and wires are far more than an unsightly nuisance. Slips, trips and falls constitute the majority of general industry accidents. In the United States, they cause 15 percent of all work-related deaths and are second only to motor vehicles as a cause of fatalities, according OSHA.
In a home office environment, small children and common household animals like cats, dogs, rabbits and ferrets often see equipment wires as play things – all too often as chew toys. Clearly such a circumstance puts the child or pet at great risk, with electric shock and strangulation at the top of the list.

  • Cable Control on the Cheap: For just a few dollars, computer cables can be easily shielded with a split wire loom, a flexible and durable polyethylene corrugated tube with a split down the side where you enter your multi-cable bundle. If you have to add another wire later on, you can easily slip it into the split wire loom along with the others without removing the entire bundle.
  • Achieve Lift-Off: Cables, power adapters, power strips, hubs, modems and other small devices can be readily lifted off the floor and put safely out of harm’s way with cable management products that loop, tie and hang “cable clutter” off the floor to reduce work space risks including snags, trips and liquid spills.
Check Out: Ignoring Workplace Safety
  • Wire Fire Can Be Dire: With a glut of equipment, wiring and electrical outlets conducting heat, often over long periods of time and in compact spaces, fire safety is an important workspace consideration. In addition to the standard fire extinguisher, other fire safety measures also should be employed. Flame spread is one vital safety consideration that easily can be addressed. Flame-retardant wire sleeving that does not support combustion can significantly reduce office fire hazards. You also can establish an effective insulating barrier to prevent the spread of fire and smoke through structural gaps and voids with fire-rated expanding polyurethane foams – a cost-effective way to establish an insulating seal on concrete, brick, wood, metal, aluminum and steel.
  • An Important Mat-ter: Use traction floor mats in high-traffic and extended-use areas, particularly those prone to moisture or spills. Be sure to use a floor mat with beveled edges to eliminate trip risk. Mats with sponge bases will enhance ergonomic safety for employees who must stand for longer periods of time.
  • Surface Raceways: Home office wires that run across the floor to a distant outlet are among the most dangerous office situations, with a high risk of injuries or damaged equipment. Fortunately, surface raceways are a readily available and easy way to organize and protect electrical cords that run along the floor or on the wall. These “cable channels” are made of tough PVC and can be painted to match office décor.
Check Out: Mistakes in Managing Safety
  • Cord Protectors: These wire cover systems are another great way to keep from tripping on loose cables and cords running across a walkway or behind your desk. Cord protectors cover, hide and protect cords and cables while keeping floors clear and safe. They also lie flat, and stay flat, and are easy to install.
    Heavy Metal: Whether you want greater protection for your wires from children, animals, rodents or pests, or have a need to protect outdoor fiber optics, RG-6 coaxial cable or Category 5E cables from wildlife or the elements, metal braided sleeving, made from tin-coated copper, is both flexible and strong, and also offers electromagnetic interference (EMI) protection.
  • Take the Edge Off: Wrap anything with a sharp edge such as broken/cracked glass, brittle plastic casings or other materials that may break and produce a sharp or rough edge in corrugated cardboard and secure with a heavy-duty duct tape to protect yourself and others from accidental lacerations. This is especially important before placing such items in a trash container.

Clear Communication Tips

security guardsWhen an officer receives a message, does he (she) take the time to “play back” the information to the caller, or simply answer with “Yeah, I got that” and then forget it? Are there pink message pads or a computer log screen available that have the blank spaces for “caller”, “time”, “date”, “number”, “note”, and “operator”? And, after the call is completed, does the officer make an attempt to follow through by locating the recipient, or simply toss the message into the “in box” near the console?

How about the famous “Oh, he knows who it is” or “No, I don’t want to leave a number-it’s unlisted!” These can frustrate the officer who attempts to complete the call. Add to this the wife or child calling with the tenth domestic emergency of the night- “Ask Jim to call me right away-my son smeared peanut butter in our VCR”. Now complete the daily routine with eight “Isn’t this Mario’s Pizza?” and you can see how the routine task of telephone message handling can become a frustration. (Remember-remain professional and approach each call in the same manner.)

Check Out: Incident Report Writing Guide

Radio messages are another challenge. Portable radios, even with speaker microphones attached, have to compete with noise from passing cars, screaming kids, and whatever else is happening while the officer is copying a transmission from base. Does the dispatcher take the time to phonetically spell out names and addresses? (“That’s R-Romeo-U-Uniform-N-November”). When numbers are used, are they run together or is a pause taken such as “044 ** 46 ** 6699”? And-the most frustrating cause of lost information- do you wait a few seconds before broadcasting or grab the mic and start talking right away? (A radio system needs time to “breathe” between transmissions, or else the beginning of each message will be cut out!)

SecurityManagerWhen speaking on the phone or radio, or taking a message, the officer should try to project a positive image. This helps the company, the supervisor, and the security staff to “satisfy the public”. Avoid prejudging a caller, or editing information based on your own emotions or experience. I have personally witnessed alarm accounts rescued from cancellation by prompt delivery of an irate client’s message to management. If you use pink pads, computer logs, or the well-known “officer’s notebook” in the field, taking down the correct information and relaying that data to the proper individual is a vital part of your duties in security or alarm dispatching.

A final note- in the communications office, the Dictaphone recorder will allow the officer to play back a conversation to make sure that all pertinent information was obtained. In the field, the patrol officer does not have that luxury, and so asking base to “repeat the last message” or “Did you say A as in Alpha or J as in Juliet?” is recommended to complete the call. If there are noise or interference problems, ask the dispatcher to relay the message by telephone.

Clear communication skills will allow others to easily get relayed information for safety and security of all involved.

Conducting a DIY Security Audit

No business is totally immune from the threat of crime but a little prior planning and a few common sense precautions are all that is necessary to deter most criminals.

Use this test to conduct a survey of your business. Each “NO” answer indicates a weakness that could help a criminal. As you eliminate the “NO” answers, you improve your level of protection and reduce your risk of becoming a victim. Go through the list carefully and systematically. You will also want to look at the business during the night and on weekends. Those are times when you may be most vulnerable.

Remember, this checklist points out your weak areas. You are not fully protected until each of them is corrected. Of course complying with these suggestions won’t guarantee that your business will never be the target of crime but it will improve odds in your favor.

This test is limited mainly to the physical security of your business. There are many other areas which also deserve your attention. A well rounded loss prevention program will also address internal security, customer theft, fraud, safety and fire prevention and emergency preparedness.

Physical Security Checklist

Building Exterior

  1. Are all vulnerable points adequately lighted?security audit
  2. Is shrubbery trimmed to provide for good visibility at all vulnerable points
  3. Is all access to the roof eliminated or secured?
  4. Have weeds and trash near your building been cleared away?
  5. If a fence would improve your protection, do you have one?
  6. Is your fence high enough and/or protected with barbed wire or tape?
  7. Is your fence in good repair?
  8. Are gates in good repair and locked properly?
  9. Have you protected solid block walls and wooden fences that someone could climb and/or hide behind?


  1. Have you secured all unused doors?
  2. Is glass in back doors and concealed or secluded locations protected by bars or heavy screen?
  3. Are all doors designed so that the lock release cannot be reached by breaking out glass or light-weight panels?
  4. Do exposed hinges have non-removable pins?
  5. Is a good quality deadbolt lock used whenever possible?
  6. Is the lock designed or the door frame constructed so that the door cannot be forced open by spreading the frame?
  7. Is the bolt protected so that it cannot be cut?
  8. Is the outside lock cylinder protected from twisting or prying?
  9. Is the lock a cylinder type with at least a five pin tumbler?
  10. Are keys issued only to persons who actually need them?
  11. Are doors with panic hardware properly secured after hours?
  12. Are padlocks locked in place when the door is unlocked?
  13. Are hasps made of hardened steel with non-removable screws?


  1. Are accessible windows protected by heavy screen or bars?
  2. Are unused windows permanently sealed?
  3. Are bars and screens securely mounted?
  4. Are window locks designed or located so they cannot be defeated by merely breaking out the glass?
  5. Is burglary resistant glazing used whenever possible?
  6. Is valuable property removed from unprotected windows after hours?

Other Openings

  1. Have skylights been protected by bars or polycarbonate glazing?
  2. Are roof hatches securely locked?
  3. Are ventilator shafts, air conditioning ducts and fan openings adequately protected with bars or wire mesh?
  4. Do you check panic hardware regularly to insure that it is properly closed and in good working order?
  5. If there are common attics, has some provision been made to prevent access through them?


  1. Is safe designed for both burglary and fire protection?
  2. If safe weighs less than 750 pounds is it secured in place and are wheels removed?
  3. Is safe well lit and visible from outside, especially after hours?
  4. Is cash on hand kept to a minimum by banking regularly?
  5. Do you spin the dial when you lock the safe?
  6. Is the combination changed when personnel possessing it terminate?
  7. Is the cash register left empty and open after hours?


  1. Do you have an alarm system?
  2. Does your system meet Underwriters Laboratory standards?
  3. Is your system tested daily?
  4. Does it report to a central station?
  5. Does it have a back-up power supply for power failures?
  6. Is your system free from false alarms?
  7. Do you or a designated employee respond to every alarm and check it out?
  8. Is the system designed to fully protect all vulnerable areas?
  9. Does your system include fire protection?

Other Considerations

  1. Do you lock up carefully at night, making sure that the safe is locked, doors and windows are secure, lights are on and the alarm is set and working?
  2. Have you recorded the serial numbers of all valuable merchandise, tools and office equipment?
  3. Do you maintain a good inventory control program?
  4. Do you guard against internal theft by having a written security policy and an audit system to maintain employee account ability?
  5. Do you carry sufficient insurance coverage?
  6. Do you have an effective background investigation program for screening new employees and promotional candidates?
  7. If your local police department has a helicopter or other aircraft, are your street numbers painted conspicuously on the roof of the business?

Office Security

  1. Do you restrict office keys to those who actually need them?
  2. Do you keep complete, up-to-date records of the disposition of all office keys?
  3. Do you have adequate procedures for collecting keys from terminated employees?
  4. Do you secure all typewriters, calculators, computers, etc. with some type of locking device?
  5. Do you prohibit duplication of office keys except for those which are specifically ordered by you in writing?
  6. Do you require that all office keys be marked “Do not duplicate” to prevent legitimate locksmiths from making copies without your knowledge?
  7. Have you established a policy that keys will not be left unguarded on desks or cabinets – and do you enforce the policy?
  8. Do you require that filing cabinet keys be removed from locks and placed in a secure location when not actually in use?
  9. Do you have procedures to prevent unauthorized persons from reporting a “lost key” and getting a “replacement”?
  10. Do you routinely obliterate code numbers on all keys to prevent unauthorized duplication?
  11. Do you have a responsible person in charge of your key control program?
  12. Are all keys systematically stored in a secure wall cabinet of either your own design or from a commercial key control system?
  13. Do you keep a record showing issuance and return of every key, including name of person, date and time?
  14. Do you use telephone locks to prevent unauthorized use of phones when the office is unattended?
  15. Do you provide secure areas for employees to store their personal property?
  16. Do you have at least one filing cabinet secured with an auxiliary locking bar so that you can properly secure sensitive documents?
  17. Do you leave lights on at night?
  18. Do you record all equipment serial numbers and file them in a safe place?
  19. Do you shred sensitive documents before discarding them?
  20. Do you lock briefcases and bags containing important material in a safe place when not actually in use?
  21. Do you insist on proper identification from all vendors and repair persons who come into your office?
  22. Do you make regular bank deposits and avoid keeping large sums of money in the office overnight?
  23. Do you clear desks of important papers every night?
  24. Do you frequently change the combination to your safe?
  25. When employees work alone at night do they set the door lock to prevent anyone from entering uninvited?
  26. Are emergency phone numbers posted near all phones?
  27. Is computer access restricted to authorized personnel and are access telephone numbers kept confidential?
  28. Are all doors leading to the office protected by heavy duty, double cylinder deadbolt locks?
  29. Are all windows, transoms and ventilators properly protected?
  30. Is there a closing routine established to make sure that everything is properly secured prior to leaving?
  31. If the office is protected by an alarm system, does the equipment work properly and is it set every night?
  32. If you employ a guards, do you check their watch clock tape or dial each morning to be certain that they are doing their job properly?
  33. Do you periodically review your security policies and procedures and update them where necessary?
  34. Are computer files routinely backed up and backup files stored in a secure off-site location?

Policies, Procedures & Training

  1. Do you have a Workplace Violence Prevention Policy?
  2. Do you have a Crisis Media Management Policy?
  3. Do you have a Disaster Preparedness Plan?
  4. Do you have a Workplace Harassment Policy?
  5. Do you provide on-going training to employees at all levels of the organization regarding these policies?

Obviously, completing this checklist won’t solve all your security problems. It will however, give you a good idea of the level of security that now have. With that knowledge, you can begin to develop a security program that provides the type of individualized protection your particular business requires.

If after completing this survey you find that the security of your business is poor or if you have any questions regarding security procedures and equipment, contact me.

Remember too, this test covers only a small part of a complete business security program. Your business isn’t fully protected until you have taken steps to improve the security of every aspect your business.

After a Security Audit, it is also a good time to check out your security policies, and my post, the 7 Security Policies you need, is a great starting point.

Risk Assessment Guidelines

risk assessment

Purpose of Risk Assessment Guidelines

Most Corporate Risk and Security requires all locations to implement the baseline physical security controls described in the physical security standards. These controls are considered the minimum standards for the majority of locations. However, as a result of political, environmental or other local issues additional controls may be necessary. An analysis must be completed for each location to determine what additional risk exists and what additional controls are required.


Corporate Risk and Security will conduct a risk assessment of each location every three years or less if necessary.


Risk Assessment: the risk assessment is a process, which identifies and quantifies the real risks and key business factors associated in operating a business location. The process is based upon a survey which facilitates the gathering of data specific to the following: environmental factors, business factors, site location and design, municipal resources, crime and demographic factors, business risk profile factors.

Environmental factors: weather, geological activity, political, chemical.

Business factors: value of operation, proprietary information, key assets (including manufacturing processes) duplicated/non-duplicated activity, level of staff, impact to total corporation.

Site Location and Design: physical attributes, fire suppression, public accessibility, access points and natural hazards.

Municipal Resources: public utilities police and fire resources and response, medical resources, bomb procedures, disaster assistance.

Business Risk Profile: crime history and demographics, population analysis, historical crime survey and possible trends.

Check Out: How to Complete a Risk assessment


Risk Analysis Process:


  1. Evaluate the risk exposures and determine the corresponding risk category that must be applied to that location, if any, in reference to the Corporate Profile.
  2. The evaluation for the location must be done and approved by the Corporate Director of Risk and Security.
  3. Both a vulnerability and exposure matrix will be used for three distinct categories: (1) natural disasters; (2) man-made incidents; and (3) incidents.
Check Out: Understanding of Real Risk


Risk Quantification will be conducted by Corporate Risk and Security who will utilize four categories for quantifying risks in reference to the Corporate Profile:

Category 1 (Extreme Risk):

Civil and other war situations wherein the central government does not control significant geographical areas, which are in the partial control of insurgent forces, or where government control is immediately threatened. Also, nations or cities undergoing violent transformation through a military coup or revolution. A major environmental hazard has been determined to be uncontrollable and would cause serious harm, i.e., volcano. Travel and/or event movement are discouraged.

Category 2 (High Risk):

Locations where terrorist or guerrilla groups pose a serious threat to a nation’s political and/or economic stability; a country or city faced with widespread street violence resulting from political dissension or economic unrest. Also, countries or cities with known potential for military coup/militia groups or evidence of prejudicial treatment against foreign/nationality interests. Only essential travel would be recommended. Any location where company has been the target of terrorists around the world. Additional measures should be set forth to mitigate the threat of bombings, bomb threat searches, and reduce any real event risks to personnel and property. An environmental hazard has been determined to be uncontrollable and would cause harm if incident occurs. Stringent security precautions and travel awareness is warranted.

Category 3 (Moderate Risk):

Locations where political or economic turmoil is evident and/or terrorist/guerilla groups are regularly active but have not become strong enough to threaten government stability. Also, nations or cities involved in potentially violent regional disputes or with high rates of crime. The threat of violence in the work place is high. Non-US locations where the risk exists or is emerging where economic crime, underground/street gang/mob influence is prevalent. The measures designed to prevent or mitigate violence are on property must be implemented in all US locations wherever the risk exists worldwide. An environmental hazard is possible due to location and trend of natural disaster paths, i.e., cyclone paths, tornado alleys, earthquake epic centers, etc. Upgraded security precautions are warranted for travel or investment if disaster mitigation methods are required.

Category 4 (Low Risk):

Locations relatively free of frequently recurring acts of political, economic or criminal violence and societal arrest. Nations or cities where organized antigovernment elements or terrorist/guerilla groups may be active but maintain only limited operational capabilities. No known environmental hazards are apparent. Modest security precautions are warranted for travel or investment if corporate security concepts meet corporate standards.

If you have any questions do not hesitate to contact me.

Transparent Security: not seeing it is the point

transparent securityFor businesses, the need for increased security is apparent. Yet there are many cases where the businesses may not want the appearance of security to be obvious. Although government organizations usually make security a priority over aesthetics, corporate and private facilities often cannot afford to follow this policy. With government facilities, if a property requires 12-foot-chain-link fence with razor wire, then that is what is put into place.

So where does that leave facility executives at corporate and private organizations? Many are taking physical security design to a new level: transparent security. Transparent security is strategy that addresses the need for security while respecting the importance of a low-key appearance.

Transparent Security

Enabling Technology

Transparent security follows two lines, hard and soft. Hard includes equipment, specifically equipment that is designed to be discrete or invisible. Soft involves policies and a strategy known as Crime Prevention Through Environmental Design (CPTED). Occasionally, nonsecurity objects may be used to serve soft security purposes. In one recent application, maple trees were planted in a park specifically to prevent vehicles from traveling into a restricted area. The trees were part of the park, the placement was part of the security plan.

The concept of transparent security design is proactive. The idea is to look for potential problems and take steps to put invisible or unobtrusive material in place to mitigate the potential problem.

Technology is helping to make transparent security easier, and recent advances in the field of window films are an example. An optically clear film is available that can be applied to almost any window, providing a significant increase in protection. Window films provide several security advantages. Glass-fragmentation retention film actually strengthens the glass, increasing the force necessary to break the glass and prevents glass fragments from flying. Window film is relatively inexpensive and is typically done as a retrofit on existing glass. An added benefit is that when properly applied, glass fragmentation window film is invisible.

Glass fragmentation window film has been applied at facilities owned by such diverse organizations as NASDAQ, Wells Fargo, and not surprisingly, the Department of Defense.

The idea of hiding security devices is not new. Manufacturers have been building hidden or low-profile closed-circuit television camera housings for years. Intrusion-detection equipment has also been available in hidden housings. Now, manufacturers of high-security vehicle barriers have followed suit. The vehicle barrier approach is unusual in that high-strength antivehicle bollards are now available in an ornamental configuration. One manufacturer has created a line of architecturally designed fiberglass and plastic sleeves to slip over bollards.

These ornamental barriers are being used to protect buildings as well as to control vehicle access in residential areas. In California, West Hollywood is employing the same type of antiterrorism bollards as used by the federal government to stop car bombers. The city’s barriers are used to block off residential areas from nighttime traffic off Sunset Boulevard from the new Sunset Millennium Shopping Center. The high-security barriers will stop vehicles weighing as much as 7 tons travelling at speeds of up to 62 miles per hour.

Security Meets Design

On the other side of the country, multiple entrances to the Florida State Capitol Building rate protection as well. High-security decorative bollard systems are proposed for the legislative members’ garage that will blend in with the aesthetics of the building. This system balances strength and design by placing ornamental trim around the perimeter of each bollard. In a crash test, the same bollards stopped a 7.5 ton vehicle traveling at 44 miles per hour. Mixing strength and aesthetics, these bollards carry a U.S. Department of State and Department of Defense rating of K8, L2, the highest rating that the government has given to a bollard system.

The impact of security is evident in perimeter systems, too. Some facilities are blending designs into the metal perimeter fence construction to reduce the visual impact of the fence. The corporate headquarters for Delta Airlines in Atlanta is surrounded by a fence with the Delta logo incorporated into it. Less than 10 miles away, the corporate headquarters for the Southern Company — parent company to Georgia Power and other utilities — sports lightning bolts bent into the metalwork of the perimeter fence. In both cases, the additional metal does nothing to increase the physical security.

CPTED takes the built environment and carefully modifies it to increase security. The concept has been used by planners and architects for many years to control behavior; the emphasis is on the placement of existing nonsecurity materials to achieve a security benefit.

CPTED classifies people as either normal users, abnormal users or observers. Normal users are the people that belong in a facility. They are the employees, the guy who fills the drink machine, the customers and anyone else who has legitimate business in a facility. The abnormal users are the opposite of the normal users. They are the thieves, the vandals, the graffiti artists and everyone else who is to be kept away.

The idea of letting some people in while keeping others out is at the heart of any access control system. What makes CPTED different is the idea of observers. A CPTED observer is a person who has been placed at a specific location to minimize the probability of a crime. The concept is simple: The more people looking at something, the less likely crime is to occur. As the number of people looking is increased, so is the probability that someone committing a crime will be seen, and therefore identified and caught.

Visibility Matters

Observers are not told that they are “observers.” They are not there to watch a location and report any crime. But reasonable people are is likely to call 911 if they witness a crime. Thus, security in crime-prone areas can be improved if there are reasons for someone — the observer — to be present. For example, park benches provide a place for people to sit, and as a result, they become places for observers to gather. From a design perspective, an observer is a transparent security measure.

CPTED also utilizes the concept of taking high-risk activities and placing them in low-risk areas to minimize the potential for crime. This is done without the use of security devices and is also transparent. Bank ATMs, for example, are inherently high-risk. The transparent goal in providing security for an ATM is to place the machine in an area of high visibility.

As the need for security continues to increase, transparent security design is becoming a factor in good architectural and security planning. Minor changes can make a big difference, without compromising aesthetics.

How do your alarms communicate?

There are many ways that a signal from a fire or burglar alarm can reach the receiver; from POTS (the telephone line that you talk on every day) to sophisticated radio transmitters that seem to have been designed for the CIA to cellular service. Whatever method your security system is using, the important function is to get the correct data from the device (motion detector, heat detector, door contact, etc.) to the base station where dispatching occurs.

The oldest method is the regular telephone wire. In the older systems, each account leased a copper wire connecting them to alarm company central station via the local telephone company switching station. Developed in the 1870’s to measure changes in current at a box in a store or home, it is still used by many private customers. One problem is that the communication flow depends on a solid connection between the two points – if a wire is cut on a pole, the earliest systems show an alarm. Over the past few years, telephone companies have begun to phase out this type of service, since maintenance costs are high and switching equipment is dated.alarm communications

The answer is derived channel monitoring – where the phone company provides a special device at the switching station and another at the alarm company. The digital signals are then monitored by the phone company for quality control – so line faults can be reported and alarms transmitted more securely. Please note this system is an option: not available in all areas of the country.

A third source may use a cell-phone similar to what you probably carry with you today. It was marketed in the 1980’s and allows the alarm user to transmit data on the same system that local cellular phone companies provide. There is a charge, of course, as you are paying for the phone number and usage. A typical system has an alarm control interface, a cell phone mounted in a cabinet with back-up power, and an outside antenna if needed. This device allows for alarms to be transmitted even if local phone service is down, providing that it can “hand-shake” with a cellular tower site. Upgrades are ongoing, such as the same technology that allows you to operate your laptop computer in the car. (Telemetry)

Another plan of action is radio, again this is a newer technology developed in the past twenty years. The simplest type simply substitutes a two-way radio (such as your officers use in the field) to transmit alarm information from one building to another instead of a phone line. This requires a dedicated radio channel as well as line-of-sight reception. A better solution is becoming part of a commercial network, where tower sites and equipment are maintained by a private company and channels are shared based on repeating the messages from office building roofs, water towers, mountaintops and other elevated locations.

Hardwired alarm panels are less expensive than wireless panels, but they are harder to install. Keep this in mind when working on budgeting for alarm systems. An average alarm installation with a hard-wired system takes about 12-16 hours. A typical wireless installation will take less than 4 hours.

Another consideration is that some types of construction lend themselves well to a hardwired installation, and others will require the use of wireless.

Even if you select a wireless alarm panel, some jurisdictions still require that the device back-ups are hardwired. These typically include the power transformer, the electrical ground wire, the telephone connections and any keypads/arming stations and audible alarms.

Check Out: Emergency Action Plan Basics

The main difference between a hardwired and a wireless alarm panel is how each one communicates with the protection devices connected to the system. A hardwired panel will require a wire to each “zone” or device on the system, while a wireless system utilizes a radio frequency to communicate with the “zones” or devices that are connected to it.

While a normal electrical circuit is a Parallel Circuit, a typical hard wired alarm circuit is a 2-wire normally closed loop with end of line supervision commonly referred to as a Series Circuit.

A Series Circuit allows electrical current to flow from the alarm panel, down one wire through the alarm initiating device and back to the alarm panel. When the current is interrupted, the panel will register a fault on the circuit/zone. End of Line (EOL) resistors are added to the circuit so that the alarm panel can supervise the condition of the zone for ground faults, electrical shorts and open or cut wires.

Multiple normally closed devices can be connected to a single zone by connecting the devices in series, with the EOL resistors installed on the last device in line. This way, the entire circuit is completely supervised from the panel to the last device in line.

When wireless alarm systems first appeared on the market, they were not the most reliable systems around. Most of them utilized non-supervised wireless transmitters to communicate to each of the field devices. A non-supervised wireless alarm transmitter would only send a signal “one way” to the alarm panel receiver when it was activated.

For example, when a door or window was opened, the transmitter would send a wireless signal. The alarm panel would receive the signal and activate the appropriate zone. The transmitter would not send a signal when the door or window was closed, so the receiver/zone had to reset itself after a few seconds. With a non-supervised wireless system, you could actually arm the system with a door or window wide open without even knowing it.

Most new alarm systems utilize a redundant bi-directional fully supervised wireless connection for two way communication between the transmitters and the alarm panel receiver. With fully supervised wireless, the alarm panel can tell you the real time status of a door or window. If a door is open, it will keep the zone faulted until the door is closed.

Most of the early wireless systems were very limited in their addressing schemes. They utilized dip switches with binary addressing (explained later) to differentiate between points on the system.

This was O.K. if your wireless system was installed and commissioned correctly, but what happened when a neighboring location installed the same type of system? If the neighbors motion detector was addressed the same as your dock door, your alarm would go off every time they moved around inside their building. As you can imagine, this could cause some major problems that were very difficult to troubleshoot.

Modern wireless systems utilize serial numbers, binary house codes, or other proprietary technology to assure that only transmitters enrolled into your panel will be received by your alarm system. If you do your research and purchase a good reliable supervised alarm system, you should never need to worry about your neighbor’s wireless transmitter setting off your alarm system.

Another problem with the older non-supervised systems is that you did not know when the batteries in the transmitters are low or need to be replaced. The only way to verify that they were working is to periodically test them.

Because, even the most sophisticated wireless alarm panels are useless if the transmitter batteries are dead, therefore supervised wireless panels are programmed to check in with each of the remote transmitters at least once every 24 hours. If your transmitter has a low battery, the keypad/arming station will immediately inform you of the trouble condition.

Check Out: Improve Your Security Guard Service in 5 Steps

With any wireless security system you should always test the performance of your system regularly. The range of any wireless product can be affected by the environment and the structure in which it is installed. Additionally, the range can be adversely affected by environmental conditions, interference form electrical devices or even the orientation of the transmitter in relation to the receiver.

So who is the winner of this argument? Well, according to Underwriters Laboratory (U.L.), the most secure and reliable installation methods utilize hardwired installations with End of Line (EOL) 1 or 2-resistor supervision. In fact, U.L. approved installation standards for federal government and other high security installations require all zones of protection to be hardwired with complete 2-resistor line supervision.

Not to say that wireless systems are an inferior product. In fact the fully supervised systems offer excellent protection that is perfectly suitable for 90% of residential installations.

If you are considering a wireless alarm system, be warned, there are still systems being sold and installed today that are non-supervised, so make sure that any system you are considering offers complete wireless supervision.

If you opt for a hard-wired alarm system, make absolutely sure that the system is installed with the supervisory resistors at the end of the line. To make installation faster and simpler, some installers will place the resistors in the alarm panel rather than at the end of the line.

While this method provides supervision of the zone for ground faults, it does not provide protection for a direct short or worse yet, someone splicing into the wire and shorting them together which will essentially close the loop so the panel will not see the zone open or close.

Whatever method that your security department chooses to move the alarm information from the point of occurrence to the receiving station, make sure that you can provide interference-free data and your staff is able to interpret and dispatch the information. As technology grows into the twenty-first century, new ideas about alarm transmission will be unveiled and older technology will be challenged by parts shortage, lack of technical support, or noise on the line. This article does not offer any specific vendor names or ultimate solutions – but I hope that you will examine your burglar and fire alarm system with an eye toward data transmission.

Basics of a Security Risk Assessment

security risk assessment

A proper security risk assessment is necessary to truly understand what security risks your company faces. As a physical security professional you must understand how to conduct a proper security risk assessment. Check out the Risk Assessment Guidelines to understand in-depth what a full security risk assessment entails.

The following tips will guide you in understanding how to conduct a Security Risk Assessment.

Zone 1: The Interior

Every facility executive needs to protect interior space from unauthorized entry. The means available include:

  • An effective system at the front desk or lobby to identify and badge employees and visitors
  • Locking systems
  • Intrusion detection and 24-hour alarm monitoring
  • Closed-circuit television (CCTV) in key locations
  • Security guards

Zone 2: The Perimeter

The typical multi-tenant building perimeter base building system focuses on elements that are incorporated into the design of a new structure, but also may be retrofitted. Some of these elements are:

  • Window coatings to minimize glass shards; polycarbonate glass from grade to 30 feet or higher
  • Structurally hardened building exteriors
  • Defensive landscaping — avoiding landscaping that conceals intruders or provides natural “ladders”
  • Lighting and CCTV in key areas
  • Control of loading dock traffic
  • Control of building entrances — main lobby and elevator core interface with public

Mail facilities are also vulnerable to biological and chemical weapons, and unauthorized entry. To combat those threats, consider:

  • Limiting access to authorized personnel
  • Placing barriers at the building perimeter to decrease access and reduce the impact of hazards
  • Installing X-ray package-screening equipment
  • Installing nuclear, biological and chemical (NBC) detection equipment
  • Installing negative pressurization systems to contain hazardous materials
  • Using HVAC filtering and treatment, such as HEPA filters and UV treatment

Finally, the building’s air systems and mechanical room, if located on the perimeter, are another area of vulnerability. Protect air handling systems from tampering by:

  • Fencing off fresh-air intakes and return-air vents or moving them to roof
  • Securing mechanical room exits

Zone 3: Building Grounds

Building grounds should be treated as a defensive zone to prevent cars and trucks, which might be carrying explosives, from crashing into the building. One security measure against these threats is the installation of highway barriers, but these are unsightly. Instead, use landscape elements to create a stand-off zone around the building, remembering that the effect of blasts diminishes with the distance from the blast. Effective methods include:

  • Using mature trees, landscaped earth berms, raised planter beds, benches, ornamental fencing and ornamental light posts
  • Incorporating effective lighting

Zone 4: Property Boundary

Implement security measures at the property line, which may include:

  • Roadway and barrier systems, such as a guardhouse
  • Communication systems in remote parking lots, such as emergency intercom and CCTV surveillance
  • Secured access to gas, water, electric, telephone service and utilities, such as locking manhole covers

Zone 5: Parking Structures

Parking structures are a significant area of vulnerability. Limit and monitor access and use, particularly if the parking structure is within or under the main part of the building. In addition to eliminating on-street curb parking, successful methods might include using:

  • Parking control system
  • Vehicle identification system
  • License plate recognition system

Zone 6: Public Domain

Finally, leverage the assets that are available to property owners in the public domain: streets, police, fire and emergency services departments. Coordinate security policies and procedures with public agencies at the local, state and federal levels, as appropriate. Establish a liaison to obtain real-time intelligence about actual and potential threats.

In today’s world, facility executives must take a holistic approach to security planning, programming and system design. They must assess the full range of security assets available — both human and electronic — and develop a system that protects the property at every zone from the interior to the public domain.


Here are suggestions of what to check before contracting Kevin Ian Schmidt for a physical security risk assessment.

This article is just to provide you with the basics of a security risk assessment, so you are knowledgeable on what to expect when hiring a consultant, and will potentially be able to address minor, simple issues beforehand to save cost.

Layered Security

layered securityAt its most basic, layered security refers to concentric rings of site and building security. These rings typically progress from the exterior boundaries of a site to the exterior building shell to increasingly secure areas within the building. The rings are not always symmetric or well defined, but each one represents an increase in security hardening against external threats as one moves inward from the site boundary or building exterior.

In a layering approach, design consideration must be given to the flow of people and material as they move though public, private and restricted building areas. Controlled paths need to be established in conjunction with each layer of security. This is where design with security concerns in mind can minimize implementation and future operating costs.

Equally important are the internal security layering requirements that segregate building spaces from one another — a key requirement when multiple tenants or departments with differing security needs occupy a single building.

Securing Core Areas

Most buildings share core areas that include vertical transportation, electrical and telephone rooms, janitor closets, and public amenities like parking areas, lobbies and toilet facilities. A successful security design must not only plan for the flow of people and material during occupied and unoccupied hours, but also consider how this flow affects the sharing of public and service areas.

For example, building access from surface or underground parking facilities needs to be segregated and directed to a common access control point to minimize security staffing and other operating costs. Because of past incidents in high-profile buildings, underground parking may in the future be limited or not be provided at all.

When designing security to maintain segregation of building areas, life safety code requirements must be observed, and the required emergency egress paths must be maintained using appropriate egress hardware. Though it sounds simple, this is one of the most difficult requirements to implement because it requires comprehensive understanding and interpretation of building codes and close coordination of door hardware, security system and fire alarm system requirements.

Check Out: Physical Security Program – Know the Process

Design Principles for Security

Proper design and use of the built environment can assist in effective security layering. The following four design principles are key:

  1. Natural surveillance: The ability to keep potential threats easily observable in parking areas and building entrances.
  2. Territorial reinforcement: Defining private and public areas in the facility or campus using landscape plantings, pavement designs, gates and fences
  3. Natural access control: Design of streets, sidewalks and building entrances to indicate clearly the public access routes and to discourage pathways outside the secure areas, using structural elements to complement electronic access control.
  4. Target hardening: Design using features that prohibit entry or access, such as window, door and air intake location; locks; dead bolts; electronic card access; and closed circuit television (CCTV).

To enhance security, building exteriors will in the future likely be designed with fewer windows and other openings; exterior windows and doors at the lower floors will be reinforced. Fresh air intakes will no longer be at grade. The number of outside entrances for pedestrians on foot or from parking areas will be reduced to channel the flow to lobby security stations that can be staffed with the minimum number of personnel.

Underground parking, loading docks and service entrances will be located and designed to segregate and effectively control the flow of personnel and goods using transition areas. Building service areas, toilet facilities, corridors, and electrical and telecommunication closets will be located so that the building’s net usable space can be subdivided, segregated and secured as needed to meet the requirements for each tenant or department’s security, while maintaining the code-required means of egress.

Technology’s Role in Layered Security

In addition to physical barriers, a layered approach to security typically requires electronic security systems — different combinations of things like badges, biometrics, card access, door alarms, CCTV and package scanning machines in different combinations — along with personnel trained to make the final decisions. The effective placement of these systems can reduce staffing requirements.

The upper box on page 53 shows the placement of card access devices and personnel to control access to building core areas from the outside while minimizing staff needed to handle visitors.

In the example shown, everyone who wants access to non-public areas of the building is directed to the turnstiles that control access to the elevators. Visitors can gain access when authorized by the security personnel.

In a building similar to the one in the example, delivery trucks could gain access to the loading dock after being cleared by the security staff. Depending on the security level required, access to the freight elevators can be further controlled after inspection of the cargo.

Check Out: How do Your Alarms Communicate

Further security layering can be implemented for personnel and material that have been cleared for access to tenant spaces. The bottom box on page 53 shows a typical arrangement of multiple-tenant floors. Tenant security is maintained with the use of card readers to control access into the space. Tenants that need to track personnel who enter and leave their spaces can use their own card readers. Tenant personnel can gain access to the toilet facilities while maintaining security; the use of keys or card readers at the toilet facilities is an option that needs to be evaluated separately. Those making deliveries from the freight elevator need to request access to tenant spaces via telephone or intercom.

CCTV systems with motion detection can provide continuous monitoring that is useful not only to grant access to the protected spaces, but also to provide forensic evidence needed to investigate security-related incidents. Digital CCTV provides for easy retrieval of information on demand without the time-consuming searching required by older analog systems.

Although security layering is a valuable strategy for controlling the flow of people and materials within the building, it isn’t the whole story. Operational plans are needed to limit access only to suppliers and staff with legitimate need. Deliveries of supplies from known sources should be coordinated in advance. Delivery times may have to be restricted to off-peak hours to avoid unnecessary delays to building occupants. For particularly sensitive areas, requirements for background investigations of outside contractor staff may need to be established to prevent “Trojan horses,” such as bugging devices, from being introduced into the building during construction, maintenance or deliveries. Emergency plans need to be developed and tested with the building occupants to address different types of security-related emergencies. Exit and emergency pathways need to be established for different scenarios.

Special measures and additional staffing may be required for special events, such as social functions and tenant relocations, where a large number of strangers may require access to secured areas.

In new buildings, security layering can be integrated into the original design in a very cost-effective manner. But, of course, occupants of existing buildings are demanding increased security as well. In most of these buildings, security improvements are more costly to provide because of significant additional staffing costs or building modification costs to redirect the flow of people and materials. Many existing buildings were designed with multiple entrance pathways; these buildings must add significant security staff or make costly changes to the building itself to provide minimum levels of security. Building owners will have to treat those additional expenses as a cost of doing business; tenants are demanding increased security, and those measures carry additional costs. Another challenge for existing buildings is that the security layering approach requires both building owners and tenants to accept changes in behavior without developing a trench mentality.

When it comes to upgrading security from what was acceptable in the past, there is no free lunch. To put it another way, no pain, no gain.

With new buildings, costs can be minimized. Doing that requires building owners to remember two key points: first, that during the design process it is never too early to plan for security; second, that many tools are available to provide security. And it’s not just building owners who need to think in a new way about security in new buildings. The increased demand for security also will require a change in the mindset of architects and engineers. Design professionals will have to consider how to incorporate into building designs the sometimes conflicting desires and requirements of building owners, occupants, vendors, visitors and governing agencies.

If everyone on the design and construction team focuses on security early and consistently, security does not need to be expensive and in many cases can be incorporated with minimal impact on the tenants who spend a great deal of their everyday lives in the building.

It’s also important to remember that effective security requires the building owner to address both operational and security technology issues as well as architectural factors. For example, it is critical that the issues of security staffing and training be addressed. With solid planning and an awareness of the tools available to designers, building owners can achieve the security levels they need without high ongoing costs.

Understanding of Real Risks

Photo Courtesy: Nick Carter/Flickr
Photo Courtesy: Nick Carter/Flickr

To anyone who has an understanding of real risks, some of the most unnerving stories about security involve facilities where nothing bad has happened — at least not yet. These are facilities where vulnerabilities exist but haven’t been discovered or addressed yet.

Case in point: the headquarters of a large health care company. A security review determined that anyone in the lobby could go straight into the rest of the building without being stopped. But the audit recommendations to address that problem languished in the hands of company executives. Six months later, the company found itself embroiled in tense collective bargaining negotiations. One day, a group of people barged in through the front door, raced through the lobby and disappeared into the heart of the building. The stunned receptionist could do nothing but call the police and hope that nothing happened until they arrived.

Think that a security breach like that — involving an obvious vulnerability — is an isolated case? Look around many facilities, and it’s not difficult to spot security risks: a door propped open, poor lighting in the parking lot, a window cracked open or an unlocked gate. And obvious risks like those are only the beginning. Facilities face a wide range of potential threats. The real question is, which vulnerabilities are most likely to be exploited?

There are plenty of excuses not to address that question. An office building may be deemed too small to require a detailed security audit. Or its out-of-the-way suburban location may be judged safe because it does not face obvious, high-profile risks. Cost is often an obstacle. So is the lack of an on-site person who is directly responsible for security.

Excuses aside, experts agree that conducting an audit is paramount to making sure that everyone and everything in a building is as safe as possible.

In order to really do anything from a security standpoint, you have to know what your risks are, how can you make security decisions if you don’t have a clear understanding of what your problems are?

Some buildings are clearly high-risk and therefore demand that special attention be paid to security. A good example is a nuclear power plant, the security level requires special attention to detail. The Nuclear Regulatory Commission has specific guidelines for how those facilities should be secured, and it’s not just the release of nuclear material into the air that has to be addressed. Many of those plants, for example, have regularly scheduled deliveries of chemicals via truck or rail. That schedule requires evaluations on which roads leading to the plants have the most risks. Moreover, the possibility that someone may try to sabotage the truck or train delivering the chemicals should also be considered, Benne says.

The definition of what constitutes a high-risk building has changed over time. For example, the threat of terrorism has created a demand for specialized research buildings to study and respond to a biological event.

The federal government is looking closely at the security of those biological labs. Two types of assessments are typically conducted on those labs: a bio-risk assessment that focuses on handling and containing biological agents, and a more traditional security assessment that addresses outside threats, such as someone trying to enter the facility.

If you’re designing a facility with agents that are lethal, the community wants to know what you’re doing to protect it, it’s a sensitivity and not just a process.

But for every building that is closely scrutinized because it is clearly at high risk, there are many more facilities where risks have never been adequately identified. And a building need not be a landmark to face significant risks. A good example is a branch bank located near the entrance ramp to a highway. Someone who understands risk assessment sees that a financial institution has branches located where other financial institutions have had robberies. Those (new) branches will then be seen as high-risk and added security measures would be put in place.

Time for Action

Formal security audits should be done on a regular basis, noting that there are three occasions in particular when they should be conducted. The first is when a site is being considered for a new building. There are commercial and consumer crime statistics companies available that conduct threat and risk assessments based on geographical location. Their assessments detail what the crime and murder rates are for a specific address and compare those rates to those of the city and county.

Many times you’ll find that the differences are miniscule, but if one location has a greater crime rate, it may have an impact on the decision.

A security audit should also be conducted when a significant change has been made to an existing facility, such as an addition, and when there’s been a serious incident. In the latter, the goal is to find out why an incident occurred and how it can be avoided in the future.

A security audit is a three-step process: first, where do you stand today? What are your policies? Procedures? Equipment? Second, where do you need to be? Third, if there’s a significant gap between where you are and where you need to be, how do you fill that gap?

Risk assessment can go beyond a security audit and try to determine how survivable a business is if something catastrophic occurs. A number of companies went out of business after the World Trade Center collapsed on Sept. 11, while others survived but got “a big wake-up call.” You can’t, for example, put all the data in one location. You need redundancy. Companies have to ask how they’ll continue operating if they want to keep the doors open after an emergency.

Check Out: How to Complete a Risk Assessment

Excuses, Excuses

Despite the benefits of security audits, many companies don’t do them because of the expense, the average in-depth security audit costs between $10,000 and $50,000.

It’s often not easy for a security director to justify spending money on a security audit when nothing bad has happened in or around a building. Recommending that an audit be conducted is much like making a sales pitch to management. The reason? A security director is competing with others on the staff who want money to be spent on new computers or the replacement of a compressor.

Audits also aren’t conducted because there hasn’t been an incident in or near a building and so no one feels the need to look for weaknesses. That misses the point of doing a security audit. The goal is to be proactive in organizing a plan to handle different types of threats and reduce liabilities.

Having a plan could pay off when partnering with an insurance company, if you can show them that you’ve done an audit, an insurance company may lower your premium, so there are some benefits that are outside of just mitigating risk.

Another reason security audits are neglected is because it is assumed that the risks facing the facility are so clear, and the appropriate countermeasures so straightforward, that a detailed analysis of security risks seems superfluous. For example, administrators at a school that has several open perimeter doors may decide to lock all those doors in a reaction to violence at another school. And while the doors may stay locked for the next several months, at some point security typically becomes lax once again if another incident doesn’t occur. An audit can help structure and focus to security efforts.

This isn’t to say that security incidents at a similar type of building, or strategies used by comparable facilities, aren’t important parts of the security decision-making process.

Piece of the Puzzle

Clearly, a review of strategies used by comparable facilities is an essential component of a security plan. A facility executive responsible for K-12 schools, for example, should be aware that other schools have put an increasing focus on perimeter security, so that no one has unchallenged access. So when someone walks in, they can get to a certain point and then they have to be vetted by signing in, showing credentials and being checked out before they can progress further into the building. At most schools, and this is slowly changing, you can just come in and wander around. Knowing how other schools are addressing security risks can help educational facility executives make decisions about their own buildings, but knowledge of industry trends is no replacement for a security audit.

An audit is especially important when the installation of security systems is being considered. Facility executives may decide to add video cameras because a similar building did so. But if there are no provisions for monitoring the cameras, they won’t achieve the goal of improving security. Organizations make short-term changes that lack the thoroughness of a well-thought-out plan, often costing money without a return of investment in improved security.

Organizations that don’t conduct security audits often end up with knee-jerk reactions to incidents. Suppose a company is having its products stolen but it’s unclear exactly how that’s occurring. Feeling the need to take some action, the company’s management might decide to put cameras throughout the facilities. However, if the products are being put in briefcases, cameras won’t spot the thefts.

Although getting input from the local police department may be useful in the audit, simply asking the police for advice about ways to improve security is no substitute for an audit. Police focus on law enforcement, which is different than securing a building. Law enforcement responds to criminal activity and security is designed to mitigate criminal activity.

Check Out: Basics of a Security Risk Assessment

Taking Action

Some organizations have a security audit conducted and then fail to act on its recommendations. Taking that approach, however, opens management to liability because there’s an obligation to fix the items that the audit found. An audit is likely to find more problems than there are dollars to address them. At that point management needs to set priorities, determining what situations and events are possible, what their probabilities are, and whether their impacts would be catastrophic, minor or something between the two. These are tough decisions, how do you invest money in things that might never happen?

Of course, if audit recommendations are ignored, and an incident occurs, the company must deal with the effects of the incident as well as the cost of countermeasures, which will surely be taken. In the case of the health care company that ignored the audit recommendation to improve lobby security, the intruders wound up in the office of a facility manager, who called the security manager demanding to know how the breach could have occurred. The security manager pulled out the audit report, which had warned of the risk of such an incident. Companies don’t fully understand the cost associated with the risk. As a result of the incident, the lobby was compartmentalized to preclude the possibility of a similar event in the future.

What facility executives and security directors need to remember is that there is no way to prevent all security incidents. If a security breach occurs, there will often be recriminations, with people saying that management and others involved in security should have seen it coming. But there’s a huge list of things that can happen, the goal from a security standpoint is to identify things most likely to occur and take reasonable steps to prevent them.